2026-06-24 –, Track 1
The Windows Recovery Environment (WinRE) is a foundational component of the Windows stack, embedded in over a billion devices worldwide. It plays a critical role in recovering systems from various types of severe failures.
A fundamental requirement for any recovery operation is identifying its associated disk volume. To meet this requirement, volume lookup functionalities are implemented separately in both the WinRE boot phase and the WinRE runtime phase. Historically, maintaining two separate mechanisms for retrieving the same information has proven fragile and error prone. This raises a critical question: what happens when these lookup mechanisms fall out of sync?
In this talk, we introduce a new and novel attack class on WinRE. Our exploration begins with an analysis of the various volume lookup logics and the inconsistencies between them. We then reveal 4 unique vulnerabilities that confuse WinRE to mistakenly recover an attacker-controlled volume instead of the intended associated volume. Building on these confusion primitives, we present 2 exploitation techniques that escalate the impact to a full BitLocker bypass, allowing extraction of all BitLocker-protected secrets in several different ways.
To conclude the presentation, we will share how we collaborated with the engineering teams to develop a comprehensive, end-to-end mitigation that addresses the entire attack class.
This talk offers valuable insights into the intersection of BitLocker, Windows Boot, and Windows Recovery, highlighting how combining knowledge across these domains leads to impactful results.
Alon (@alon_leviev) is a self-taught security researcher working with the Microsoft Specialized Clouds organization as part of the Security Testing & Offensive Research team at Microsoft (MSC STORM). Alon specializes in low-level vulnerability research targeting hardware, firmware, and Windows boot components. He has presented his findings at internationally recognized security conferences such as DEF CON 33 (2025), DEF CON 32 (2024), Black Hat USA 2025, Black Hat USA 2024, Black Hat EU 2023, CCC 2025, CanSecWest 2024, and more. Prior to his career in cybersecurity, Alon was a professional Brazilian jiu-jitsu athlete, winning several world and European titles.